Photographing a single license plate one time on a public city street may not seem problematic, but when that data is put into a database, combined with other scans of that same plate on other city streets, and stored forever, it can become very revealing. Information about your location over time can show not only where you live and work, but your political and religious beliefs, your social and sexual habits, your visits to the doctor, and your associations with others. And, according to recent research reported in Nature, it’s possible to identify 95% of individuals with as few as four randomly selected geospatial datapoints (location + time), making location data the ultimate biometric identifier.

To better gauge the real threat to privacy posed by ALPR, EFF and the ACLU of Southern California asked LAPD and LASD for information on their systems, including their policies on retaining and sharing information and all the license plate data each department collected over the course of a single week in 2012. After both agencies refused to release most of the records we asked for, we sued. We hope to get access to this data, both to show just how much data the agencies are collecting and how revealing it can be.

ALPRs are often touted as an easy way to find stolen cars — the system checks a scanned plate against a database of stolen or wanted cars and can instantly identify a hit, allowing officers to set up a sting to recover the car and catch the thief. But even when there’s no match in the database and no reason to think a car is stolen or involved in a crime, police keep the data. According to the LA Weekly, LAPD and LASD together already have collected more than 160 million “data points” (license plates plus time, date, and exact location) in the greater LA area—that’s more than 20 hits for each of the more than 7 million vehicles registered in L.A. County. That’s a ton of data, but it’s not all — law enforcement officers also have access to private databases containing hundreds of millions of plates and their coordinates collected by “repo” men.

Law enforcement agencies claim that ALPR systems are no different from an officer recording license plate, time and location information by hand. They also argue the data doesn’t warrant any privacy protections because we drive our cars around in public. However, as five justices of the Supreme Court recognized last year in US v. Jones, a case involving GPS tracking, the ease of data collection and the low cost of data storage make technological surveillance solutions such as GPS or ALPR very different from techniques used in the past.

Police are open about their desire to record the movements of every car in case it might one day prove valuable. In 2008, LAPD Police Chief Charlie Beck (then the agency’s chief of detectives) told GovTech Magazine that ALPRs have “unlimited potential” as an investigative tool. “It’s always going to be great for the black-and-white to be driving down the street and find stolen cars rolling around . . . . But the real value comes from the long-term investigative uses of being able to track vehicles—where they’ve been and what they've been doing—and tie that to crimes that have occurred or that will occur.” But amassing data on the movements of law-abiding residents poses a real threat to privacy, while the benefit to public safety is speculative, at best.

In light of privacy concerns, states including Maine, New Jersey, and Virginia have limited the use of ALPRs, and New Hampshire has banned them outright. Even the International Association of Chiefs of Police has issued a report recognizing that “recording driving habits” could raise First Amendment concerns because cameras could record “vehicles parked at addiction-counseling meetings, doctors' offices, health clinics, or even staging areas for political protests.”

But even if ALPRs are permitted, there are still common-sense limits that can allow the public safety benefits of ALPRs while preventing the wholesale tracking of every resident’s movements. Police can and should treat location information from ALPRs like other sensitive information — they should retain it no longer than necessary to determine if it might be relevant to a crime, and should get a warrant to keep it any longer. They should limit who can access it and who they can share it with. And they should put oversight in place to ensure these limits are followed.

Unfortunately, efforts to impose reasonable limits on ALPR tracking in California have failed so far. Last year, legislation that would have limited private and law enforcement retention of ALPR data to 60 days—a limit currently in effect for the California Highway Patrol — and restricted sharing between law enforcement and private companies failed after vigorous opposition from law enforcement. In California, law enforcement agencies remain free to set their own policies on the use and retention of ALPR data, or to have no policy at all.

Some have asked why we would seek public disclosure of the actual license plate data collected by the police—location-based data that we think is private.But we asked specifically for a narrow slice of data — just a week’s worth — to demonstrate how invasive the technology is. Having the data will allow us to see how frequently some plates have been scanned; where and when, specifically, the cops are scanning plates; and just how many plates can be collected in a large metropolitan area over the course of a single week. Actual data will reveal whether ALPRs are deployed primarily in particular areas of Los Angeles and whether some communities might therefore be much more heavily tracked than others.If this data is too private to give a week’s worth to the public to help inform us how the technology is being used, then isn’t it too private to let the police amass years’ worth of data without a warrant?

After the Boston Marathon bombings, many have argued that the government should take advantage of surveillance technology to collect more data rather than less. But we should not so readily give up the very freedoms that terrorists seek to destroy. We should recognize just how revealing ALPR data is and not be afraid to push our police and legislators for sensible limits to protect our basic right to privacy.

Related Updates

Last week, Facebook started sending a small portion of its users a new notification about its face surveillance program, which concludes with two important buttons: “keep off” and “turn on.” This is a step in the right direction: for these users, the default will be no face surveillance...

The California Senate listened to the many voices expressing concern about the use of face surveillance on cameras worn or carried by police officers, and has passed an important bill that will, for three years, prohibit police from turning a tool intended to foster police accountability into one that furthers...

EFF continues our fight to have the U.S. courts protect you from mass government surveillance. Today in our landmark Jewel v. NSA case, we filed our opening brief in the Ninth Circuit Court of Appeals, asserting that the courts don’t have to turn a blind eye to the...

If you open Facebook’s mobile app today, it will likely suggest that you try the company’s new Dating service, which just launched in the U.S. after a rollout in 19 other countries last year. But with the company’s track record of mishandling user data, and its business model of monetizing...

Yesterday Facebook announced it was changing its settings for face recognition, which it has used since 2010 to match known faces in user profile pictures and other photos to unknown faces in newly uploaded photos. This leads to two questions: What exactly has Facebook changed? How many Facebook users...

Hundreds of thousands of Californians last year demanded that big technology companies respect their privacy rights, and supported a movement that led to the California Consumer Privacy Act. The law will go into effect on January 1, 2020. Big technology companies fought hard against the CCPA and have been leaning...

Media outlets reported this week that an international student at Harvard University was deported back to Lebanon after border agents in Boston searched his electronic devices and confronted him about his friends’ social media posts. These allegations raise serious concerns about whether the government is following its own policies regarding...

More than 400 police departments across the country have partnered with Ring, tech giant Amazon’s “smart” doorbell program, to create a troubling new video surveillance system. Ring films and records any interaction or movement happening at the user’s front door, and alerts users’ phones. These partnerships expand the web...

EFF is teaming up with the Mozilla Foundation to tell Venmo to clean up its privacy act. In a public letter sent to President/CEO Dan Schulman and COO Bill Ready today, we are telling Venmo to make transactions private by default and let users hide their friend lists. Both ...

San Francisco – The Electronic Frontier Foundation (EFF) and Mozilla have teamed up in an open letter to Venmo, telling the popular payment app to clean up its privacy settings, which leaves sensitive financial data exposed to the public. Venmo is marketed as a way for friends to send...